Compliance Checklist: Allowed PHI Access, Use, and Disclosure Under HIPAA

Permitted Uses and Disclosures of PHI

This section outlines covered entities PHI use that is allowed without written permission, along with guardrails that keep disclosures lawful. Use it to confirm whether a planned disclosure fits within allowed PHI access, use, and disclosure under HIPAA.

Core uses without authorization (TPO)

• Treatment: sharing PHI among providers to coordinate, consult, or refer care.
• Payment: activities to obtain reimbursement, verify coverage, bill, and manage claims.
• Health care operations: quality assessment, audits, accreditation, training, and other operational tasks.

Uses with an opportunity to agree or object

• Facility directories (name, location, general condition) unless the patient objects.
• Sharing with family, friends, or others involved in care when the patient agrees, does not object, or consent can be reasonably inferred.
• Disaster relief coordination with authorized organizations.
• Immunization proof to schools with agreement from the patient or appropriate guardian.

Public interest and benefit activities

• Required by law (e.g., mandatory reporting).
• Public health purposes, including preventing or controlling disease and reporting adverse events.
• Health oversight activities such as audits, investigations, and inspections.
• Judicial and administrative proceedings in response to valid legal process.
• Law enforcement purposes under specific, limited conditions.
• Averting a serious threat to health or safety consistent with professional judgment.
• Decedent information to coroners, medical examiners, funeral directors, or for organ and tissue donation.
• Specialized government functions and workers’ compensation as permitted by law.

Research and data sets

• Research with an Institutional Review Board/Privacy Board waiver or alteration of authorization.
• Preparatory to research activities without removing PHI offsite.
• Research solely on decedents’ information with appropriate representations.
• Limited data set disclosures under a data use agreement.
• De-identified information (no longer PHI) under accepted de-identification methods.

Guardrails

• Apply the minimum necessary standard to uses, disclosures, and requests, except for noted exceptions.
• Allow incidental disclosures only when reasonable safeguards and policies are in place.
• Document routine disclosures and use standardized workflows to reduce risk.
• Use role-based access and audit logs to monitor PHI handling.

Authorization Requirements

When a disclosure does not fit a permitted category, you must obtain a HIPAA-compliant authorization before using or sharing PHI.

When a HIPAA-compliant authorization is required

• Most disclosures to third parties for purposes other than treatment, payment, or health care operations.
• Marketing communications that are not permitted without authorization, especially those involving financial remuneration.
• Sale of PHI under any arrangement where the entity receives direct or indirect payment.
• Psychotherapy notes (separate, specific authorization required, with narrow exceptions).
• Employment-related disclosures requested by an employer.

Required elements of a HIPAA-compliant authorization

• A specific description of the information to be used or disclosed.
• The name or other specific identification of the person(s) authorized to disclose and the recipient(s).
• The purpose of the requested use or disclosure.
• An expiration date or event.
• The individual’s signature and date (plus a personal representative statement if applicable).
• Statements about the right to revoke, the ability or inability to condition treatment/payment on signing, and the potential for redisclosure by recipients.
• Plain-language presentation and provision of a copy to the individual.

Special rules and common pitfalls

• Compound authorizations are limited; research authorizations may be combined under specific conditions.
• Authorizations must be complete and unexpired; any material defect invalidates them.
• Maintain authorization records per your retention policy and produce them on request.
• When in doubt, obtain authorization or de-identify the data before sharing.

Minimum Necessary Standard

The minimum necessary standard requires you to limit PHI to the least amount needed to accomplish the intended purpose. Build policies that default to “need-to-know.”

When the minimum necessary standard applies

• Internal uses and routine disclosures for payment and health care operations.
• Most disclosures to third parties, including business associates, unless an exception applies.
• Requests you make to other entities for PHI.

When it does not apply

• Disclosures to or requests by a health care provider for treatment.
• Disclosures to the individual or their personal representative.
• Uses or disclosures made pursuant to a valid authorization.
• Uses or disclosures required by law or for compliance investigations by regulators.

How to implement the minimum necessary standard

• Define role-based access rules and align EHR permissions with job duties.
• Standardize routine workflows; require review for non-routine disclosures.
• Adopt “data-first” controls: masking, limited data sets, and de-identification when feasible.
• Document reasonable reliance on requestors (e.g., public officials, other covered entities) when appropriate.
• Continuously monitor access with audits and alerts for unusual activity.

Individual Rights

HIPAA grants individual PHI rights that you must respect and operationalize with clear procedures, timelines, and communications.

Access and copies

• Provide access to PHI in a designated record set within 30 days (one 30-day extension with written explanation).
• Deliver in the requested form and format if readily producible, including secure electronic copies.
• Transmit unencrypted email or other methods at the individual’s request after risk acknowledgement.
• Allow individuals to direct a copy to a designated third party when properly requested.
• Charge only reasonable, cost-based fees for copies to the individual.

Amendments

• Act on amendment requests within 60 days (one 30-day extension if needed).
• If denying, explain the basis and allow a statement of disagreement; append to future disclosures as required.
• Inform relevant parties when an amendment is accepted.

Accounting of disclosures

• Provide an accounting of certain non-routine disclosures for up to six years, excluding most TPO disclosures.
• Include date, recipient, description of PHI, and purpose or a copy of the authorization/legal request.
• Respond within 60 days (one 30-day extension with notice).

Restrictions and confidential communications

• Consider requested restrictions; you must agree to restrict disclosures to health plans for payment/operations when services are paid in full out-of-pocket.
• Accommodate reasonable requests for alternative means or locations of communication.

Notice of Privacy Practices

• Provide and post a clear notice describing uses/disclosures, individual rights, and your duties.
• Update the notice when practices change and redistribute as required.

Breach Notification Rule

Follow breach notification requirements when unsecured PHI is compromised. A breach is presumed unless you document a low probability of compromise after a risk assessment.

Is it a breach? Risk assessment

• Evaluate the nature and sensitivity of PHI involved.
• Identify the unauthorized person who used or received the PHI.
• Determine whether the PHI was actually acquired or viewed.
• Assess the extent to which risks were mitigated (e.g., prompt recovery, confidentiality assurances).
• Apply exceptions (e.g., certain unintentional workforce or recipient disclosures) and encryption safe harbors when applicable.

Breach notification requirements and timelines

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500 or more individuals in a state or jurisdiction, notify the media and the regulator within 60 days.
• For fewer than 500 individuals, report to the regulator no later than 60 days after the end of the calendar year.
• Include what happened, types of data involved, steps individuals should take, your mitigation efforts, and contact information.
• Business associates must notify the covered entity without unreasonable delay (no later than 60 days or sooner if the BAA requires).

Documentation, mitigation, and lessons learned

• Maintain breach logs, investigation files, and risk assessments.
• Offer mitigation such as password resets, fraud alerts, or credit monitoring when appropriate.
• Remediate root causes and update policies, training, and technical controls.

Business Associate Agreements

Use business associate agreements to bind vendors that create, receive, maintain, or transmit PHI on your behalf to HIPAA safeguards and duties.

When a BAA is required

• For third parties handling PHI for services like claims processing, data hosting, analytics, or EHR support.
• Subcontractors of business associates who handle PHI must also sign downstream agreements.
• Workforce members are not business associates; separate employment policies apply.

Core clauses to include

• Permitted and required uses/disclosures and prohibition on other uses.
• Administrative, physical, and technical safeguards aligned to the Security Rule.
• Prompt reporting of incidents, including breaches of unsecured PHI, and cooperation in investigations.
• Flow-down obligations to subcontractors handling PHI.
• Support for access, amendment, and accounting requests.
• Availability of records to regulators for compliance review.
• Return or destruction of PHI at termination where feasible.
• Right to terminate for material breach and requirement to comply with the minimum necessary standard.

Vendor oversight lifecycle

• Perform pre-contract due diligence and security assessments.
• Integrate BAA execution into procurement and onboarding checklists.
• Track vendors, services, data flows, and PHI locations in an inventory.
• Conduct periodic reviews, audits, and tabletop exercises with high-risk vendors.
• Offboard vendors with validated PHI destruction or return certificates.

Privacy and Security Policies and Procedures

Effective privacy program implementation aligns written policies, workforce behavior, and technology controls so that PHI is consistently safeguarded in day-to-day operations.

Foundational privacy policies

• Privacy, security, and breach response policies with clear ownership and update cycles.
• Workforce training, sanctions, complaints handling, and non-retaliation procedures.
• Role-based access, data retention/disposal, telework, mobile/BYOD, and medical device policies.
• Standard operating procedures for routine disclosures and minimum necessary workflows.
• Notice of Privacy Practices issuance, posting, and revision procedures.

Security Rule safeguards at a glance

• Administrative: risk analysis and management, workforce security, access management, security awareness, incident response, contingency planning, evaluation, and vendor management.
• Physical: facility access controls, workstation use/security, device and media controls.
• Technical: unique user IDs, multifactor authentication where feasible, access controls, audit logs, integrity checks, encryption in transit and at rest, and transmission security.

Operational checklist for privacy program implementation

• Designate and empower a privacy officer and security officer.
• Map PHI systems and data flows; document where PHI is created, received, maintained, or transmitted.
• Apply the minimum necessary standard across applications, APIs, and reports.
• Automate monitoring for unusual access, exfiltration, and tracking technologies.
• Run periodic access recertifications and segregation-of-duties reviews.
• Test incident response with tabletop exercises; refine breach notification requirements and playbooks.
• Audit BAAs, validate encryption and backup/restoration, and track remediation to closure.
• Document everything—policies, risk decisions, training, assessments, and corrective actions.

Conclusion

This compliance checklist distills what HIPAA allows and requires: know the permitted pathways for PHI, obtain HIPAA-compliant authorization when needed, limit data to the minimum necessary, uphold individual PHI rights, prepare for breaches, manage vendors with strong business associate agreements, and operationalize everything through robust policies and controls. Embed these practices into daily workflows to maintain trust and consistent compliance.

FAQs

What uses of PHI are permitted without individual authorization under HIPAA?

HIPAA permits PHI use and disclosure without authorization for treatment, payment, and health care operations; certain disclosures with an opportunity for the individual to agree or object; specified public interest and benefit activities (such as public health and law enforcement under defined conditions); and approved research pathways (e.g., IRB waiver, limited data sets). De-identified data are not PHI.

How does the minimum necessary standard affect PHI disclosures?

Except for key exceptions (e.g., treatment, disclosures to the individual, valid authorization, and uses required by law), you must limit PHI to the least amount needed for the stated purpose. Implement role-based access, standardized workflows, and reviews of non-routine disclosures, and favor de-identification or limited data sets when possible.

What are the key elements required in a HIPAA authorization?

A valid authorization includes a description of the information, who may disclose and receive it, the purpose, an expiration date/event, the individual’s signature and date, and required statements about revocation, conditioning, and potential redisclosure. It must be in plain language, and a copy must be provided to the individual.

When must breach notification be provided following a PHI breach?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals in a state or jurisdiction, also notify the media and the regulator within 60 days. For fewer than 500, report to the regulator within 60 days after the end of the calendar year. Include required content describing the incident and protective steps.